Site Search Navigation

Site Navigation

Site Mobile Navigation

Impose Real Privacy Rules

Marvin Ammori is a law professor at the University of Nebraska-Lincoln and advises the advocacy group Free Press. He is an Affiliate Scholar of Stanford Law School's Center for Internet & Society.

Updated December 2, 2010, 3:41 PM

Self-regulation by online companies will continue to fail to protect privacy because these companies’ incentives, including lax security incentives, will result in privacy abuses. Direct regulation, not mere consumer consent, is necessary here, as it is in many other areas.

Under a consent model, consumers would have to read ever-changing policies about rapidly changing technologies.

Self-regulation is like calling your own fouls in playground basketball, which isn't easy. But calling your own fouls in the online privacy arena is more complicated and less likely to work. What constitutes a foul isn’t clear, as the parameters of privacy harms are subject to debate and develop alongside evolving technologies. Partly because of information asymmetries -- few consumers know the extent of tracking, retention, and subsequent sale of their data among companies or what their options are -- only one team calls the fouls, namely the ad industry team.

As a result, industry becomes player, referee, and rule maker. Even then, not all companies will play by the rules of self-regulation. Worse, information retention and tracking place consumers at risk of hackers, spammers and identity thieves. But the companies retaining the information do not bear these risks; we do.

Nevertheless, government regulation can fail as badly as self-regulation. For example, an over-reliance on consent-based approaches could fail. The "do not track" proposal is based on consent principles, and aims to empower citizens to choose whether or not to be tracked. But implementation is crucial to how consent-based models operate and succeed. To visit some sites, I often have to “activate cookies” and “click here.” Sites could require disarmament of "do not track" for full access to their content. And if consumers don't have sufficient information to recognize the harm, the consent model would be ineffective.

For privacy, many people would rather have privacy standards, including some proposed by the F.T.C., limiting which information can be tracked, how it can be sold, and how long it can be retained. Under a consent model, consumers would have to read ever-changing policies about rapidly changing technologies to meaningfully consent.

While I recognize the benefits of many data gathering practices, the risks of self-regulation are too high for consumers to bear. Government must impose standards to mitigate that risk, and should begin by empowering the F.T.C. with the necessary rule-making authority to address these evolving issues.